-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
eskimo Nov 16, 2016 1:12 AM (in response to xwu)There’s been recent changes in this space; see Network Extension Framework Entitlements for details.
Given that you previously had access to
com.apple.managed.vpn.shared
, I presume you were granted access to Network Extension special entitlements. If so, are you generating your profile via the new mechanism (enabling the Network Extensions service on your App ID and generating a normal profile from that) or the old mechanism (adding the Network Extension additional entitlements when you generate your provisioning profile)?Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
AppDev20 Nov 16, 2016 7:22 AM (in response to eskimo)Thanks Eskimo.
We noticed the new Network Extension entitlement in the App ID list and also enabled it for our app. After this, we generated the provisioning profile twice. First we selected Default in the Entitlements dropdown while generating the profile and then selected Network Extension in the Entitlements dropdown. In both cases, we do not see the "com.apple.managed.vpn.shared" entitlement in the generated provisioning profile.
We do see the "com.apple.developer.networking.networkextension" entitlement in the profile in both cases. The issue is the missing "com.apple.managed.vpn.shared" entitlement. Because this entitlement is missing, we are not able to read the certificate and key from the keychain for authenticating with the VPN server. We compared the profile we generated last week to the one that is getting generated this week and the missing entry is the "com.apple.managed.vpn.shared" entitlement from "<key>keychain-access-groups</key>" array.
We also tried to create a brand new App ID with the Network Extension and Personal VPN entitlements selected but using that also the provisioning profile doesn't have the "com.apple.managed.vpn.shared" entitlement.
Please let us know if there is a change for accessing the key chain data too?
Thanks
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
eskimo Nov 17, 2016 1:55 AM (in response to AppDev20)In both cases, we do not see the "com.apple.managed.vpn.shared" entitlement in the generated provisioning profile.
Bummer.
Access to this ‘slice’ of the keychain is an interesting edge case in the new Network Extension entitlement story. I don’t have all the details, so I can’t help you out in this context. Please open a DTS tech support incident and I’ll get this sorted out.
ps Once you’ve opened the TSI, email me the follow-up number so that I can make sure I catch it promptly. My email address is in my signature.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
AppDev20 Nov 17, 2016 10:26 AM (in response to eskimo)Thanks Eskimo.
I've opened a DTS. The number is: 652870788.
Thanks
-
-
-
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
winc03 Nov 18, 2016 1:06 PM (in response to xwu)Hi XWu,
I am having the exact problem. My "old" entitlements that were generated from the template work. However, we want to add another developer to the team and cannot re-generate the provisioning profiles. They are missing the shared keychain access.
Let me know if this gets resolved.
BR,
winc03
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
eskimo Nov 21, 2016 1:24 AM (in response to winc03)Let me know if this gets resolved.
I’ve made a note to update this thread once I’ve driven this to a conclusion.
Just FYI, most of Apple is off work this week for the US Thanksgiving holiday, so I’m not likely to make any progress here until early Dec.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
mike.ly Nov 22, 2016 9:36 AM (in response to eskimo)I ran into the same issue, but it manifested with my VPN app crashing upon launch and the following error in the Console:
taskgated: killed <VPN app ID> because its use of the com.apple.developer.networking.networkextension entitlement is not allowed (error code -67050)
I went through all the usual entitlements troubleshooting multiple times on multiple systems with no luck. After reading this thread, I removed the "com.apple.managed.vpn.shared" entitlement from both the app and the extension, and now they're both working again.
Just thought I'd share in case anyone else is running into the same thing.
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
AppDev20 Dec 1, 2016 9:25 AM (in response to eskimo)Hi Eskimo,
Is there any update on this? We need to generate new profiles with the correct entitlements to release our app for testing. Please let us know.
Thanks
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
AppDev20 Dec 19, 2016 11:36 AM (in response to AppDev20)Hi Eskimo,
It has been more than a month since we opened a DTS on this. We are stuck and cannot release our app because the provisioning profile is not correct. It seems to be an issue with the Apple developer portal that generates the provisioning profile. It is critical for us to get a resolution to this issue asap. Can you let us know how long it would take to fix the issue?
Thanks.
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
eskimo Dec 19, 2016 2:17 PM (in response to AppDev20)Can you let us know how long it would take to fix the issue?
While I understand your frustration here, I’m not going to discuss official DTS business here on DevForums. You should follow up via your DTS incident.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
-
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
xwu Jan 9, 2017 2:58 PM (in response to winc03)Apple still not fix this issue
-
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
Yathish Murthy Nov 28, 2016 9:27 PM (in response to xwu)Even I'm facing the same issue. Created the entitlements as documented in https://forums.developer.apple.com/thread/67613
com.apple.managed.vpn.shared is missing in newly generated profile and hence I'm not able to read the certificate.
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
ve6yeq Dec 9, 2016 4:43 AM (in response to xwu)I am also encountering the same issue with missing "com.apple.managed.vpn.shared" keychain access which is blocking network extension development on iOS due to not being able to access the client certificate included in the configuration profile. Is there an existing support ticket that I can add to raise the priority or should I create a new one?
In the meantime, here is what I observe. Using the "new" network extension entitlement on the AppID I get a provisioning profile without the "com.apple.managed.vpn.shared" keychain access:
<key>Entitlements</key> <dict> <key>com.apple.developer.networking.networkextension</key> <array> <string>app-proxy-provider</string> <string>content-filter-provider</string> <string>packet-tunnel-provider</string> </array> <key>keychain-access-groups</key> <array> <string>Z7N7QHVWT2.*</string> </array> <key>get-task-allow</key> <true/> <key>application-identifier</key> <string>Z7N7QHVWT2.com.vmware.ios-tunnel</string> <key>com.apple.security.application-groups</key> <array> <string>group.com.vmware.ios-tunnel</string> </array> <key>com.apple.developer.team-identifier</key> <string>S2ZMFGQM93</string> </dict>
And if I use the old method of adding the Network Extension iOS (Dev) entitlement when creating the development provisioning profile I get a profile without the "com.apple.managed.vpn.shared" keychain access but with a "com.apple.developer.networking.Hotspot" entitlement added:
<dict> <key>keychain-access-groups</key> <array> <string>Z7N7QHVWT2.*</string> </array> <key>get-task-allow</key> <true/> <key>application-identifier</key> <string>Z7N7QHVWT2.com.vmware.ios-tunnel</string> <key>com.apple.security.application-groups</key> <array> <string>group.com.vmware.ios-tunnel</string> </array> <key>com.apple.developer.team-identifier</key> <string>S2ZMFGQM93</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> <string>app-proxy-provider</string> <string>content-filter-provider</string> </array> <key>com.apple.developer.networking.HotspotHelper</key> <true/> </dict>
This is close to the previous profile which has both the keychain access and the Hotspot profile:
<dict> <key>keychain-access-groups</key> <array> <string>Z7N7QHVWT2.*</string> <string>com.apple.managed.vpn.shared</string> </array> <key>get-task-allow</key> <true/> <key>application-identifier</key> <string>Z7N7QHVWT2.com.vmware.ios-tunnel</string> <key>com.apple.security.application-groups</key> <array> <string>group.com.vmware.ios-tunnel</string> </array> <key>com.apple.developer.team-identifier</key> <string>S2ZMFGQM93</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>packet-tunnel-provider</string> <string>app-proxy-provider</string> <string>content-filter-provider</string> </array> <key>com.apple.developer.networking.HotspotHelper</key> <true/> </dict>
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
eskimo Jan 9, 2017 3:44 PM (in response to ve6yeq)Is there an existing support ticket that I can add to raise the priority or should I create a new one?
Creating a new support ticket won’t raise the priority here. Once the folks responsible have decided on a new plan, I’ll update my Network Extension Framework Entitlements. Until then you’re just stuck )-:
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
AppDev20 Jan 11, 2017 10:58 AM (in response to eskimo)Hi Eskimo,
Two months is a very long time to be "stuck"! We are facing this issue now in our macOS VPN app too and are not even able to build/test the VPN app because the provisioing profile is not correct. This is not an enhancement that we are asking for, this is a very critical feature that was working and got broken two months back!
Do you have any ETA on when it will be fixed or acknowledged as an issue?
Thanks
-
-
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
esgbesbuild Jan 13, 2017 3:20 PM (in response to xwu)Hi Eskimo,
We are also seeing this issue.
After creating new Provisioning Profile from apple portal it is missing "com.apple.managed.vpn.shared" keychain sharing key. We tried it without this string in our entitlements but have no ability to access the client certificate in the configuration profile, so it can’t start a VPN.
Do we have a fix or workaround for this?
Thanks
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
eskimo Jan 15, 2017 8:55 AM (in response to esgbesbuild)Do we have a fix or workaround for this?
Alas, nothing has changed since I responded on this thread on 9 Jan.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
mike.ly Jan 23, 2017 4:27 PM (in response to xwu)I'm stuck waiting on the same issue. I filed bug report 30155113. Eagerly looking forward to a solution. Thanks Eskimo for keeping us updated!
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
eskimo Jan 25, 2017 3:58 AM (in response to xwu)I just updated my Network Extension Framework Entitlements post with information about how you can get access to the
com.apple.managed.vpn.shared
keychain access group. Yay!I appreciate everyone’s patience here.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
xwu Jan 25, 2017 11:00 AM (in response to eskimo)Hi Eskimo,
#8 — On the Mac, can Developer ID apps host Network Extension providers?
Currently this is not possible; only Mac App Store apps can host Network Extension providers.
We are building a Mac VPN app with Packet Tunnel Provider, so how can we debug and test it? can we do it locally, or do we need to submit it to Mac App Store in order to test it?
Thanks!
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
eskimo Jan 25, 2017 1:51 PM (in response to xwu)We are building a Mac VPN app with Packet Tunnel Provider, so how can we debug and test it?
You can test the same way you test any Mac App Store app, by building it with a Mac App Store development profile. When creating the profile in the Certificates, Identifiers & Profiles page, select Mac App Development.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
mike.ly Jan 25, 2017 1:12 PM (in response to eskimo)Thanks very much! I filed a TSI per your instructions.
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
Surender Singh Jan 26, 2017 11:40 PM (in response to eskimo)Hi Eskimo, We are facing exactly the same issue and I have been closely following this forum. I didn't post anything untill now becuase enough people had already reported this issue. Now as per your FAQ#9, We filed a DTS to request this missing entitlement and below is the response we got in return. As per their email I contacted developer program and they pointed me to the new way of generating profiles by enabling the Network Extension service for AppID, Which we did but the new profiles too didnt work becuase ours is the case you mentioned in FAQ#9. Please suggest where do we go from here. We are blocked.
As always thanks for your awesomeness!
-Surender
-----
Thank you for contacting Apple Developer Technical Support (DTS). We provide support for code-level questions on hardware & software development, and are unable to help you with your question.
For such questions, please contact the Apple Developer Program Support Team. You can contact them directly via web form <Also, when contacting them, be sure to mention that you were referred by DTS.
While a Technical Support Incident (TSI) was initially debited from your Apple Developer Program account for this request, we have assigned a replacement incident back to your account.
We hope this information is helpful to you.
Apple Developer Support
Worldwide Developer Relations
----
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
eskimo Jan 27, 2017 1:25 AM (in response to Surender Singh)I didn't post anything untill now becuase enough people had already reported this issue.
Indeed.
Now as per your FAQ#9, We filed a DTS to request this missing entitlement and below is the response we got in return.
It seems your request got misidentified. Please email me (my email address is in my signature, below) the follow-up number and I’ll take a look.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
AppDev20 Feb 2, 2017 7:30 AM (in response to eskimo)Thanks very much Eskimo. We are able to generate the provisioning profile correctly now.
-
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
onavo Mar 27, 2017 12:39 PM (in response to xwu)Same issue here. Filed TSI with follow up # 662220389
-
Re: Missing entry com.apple.managed.vpn.shared in provisioning profile
eskimo Mar 28, 2017 1:36 AM (in response to onavo)Hey hey! During my one-on-one with my boss last night I told him that these requests have completely dried up, and now you’ve made me a liar (-: Oh well, never mind.
We’ll be in touch shortly via official channels.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardwarelet myEmail = "eskimo" + "1" + "@apple.com"
-